Broadcasting With Byzantine Faults - ti.tuwien.ac.at · Network Embedded Systems Broadcasting With Byzantine Faults Voin Legourski. 19.Apr.2007 Voin Legourski - Broadcasting with

Network Embedded Systems

Broadcasting With Byzantine Faults

Voin Legourski

19.Apr.2007 Voin Legourski - Broadcasting with Byzantine Faults 2

Topics• Introduction

– Authentication– The Byzantine Generals problem

• Simulating authenticated broadcasts• Isolating the properties of authenticated broadcast• Byzantine Agreement using authenticated broadcast• Broadcast primitive• Non-authenticated algorithm for Byzantine Agreement• Byzantine Agreement for Multiple Values• Asynchronous authenticated broadcasts• A message efficient broadcast primitive


Authentication

• Fault-tolerant algorithms with authentication– Simpler to understand– Simpler to prove

• Authentication using digital signatures– Additional computation and communication

overhead– Is there an alternative to digital signatures?


Lamport’s Classics• Byzantine Agreement:

– Commander and Lieutenants – must agree on a plan (“attack at time xx:xx” or “retreat”)

– Each one of them might be a traitor

City under siege

General

LieutenantLieutenant

Lieutenant

messages


Lamport’s Classics (2)

• Lamport proposes two solutions– Oral Messages (can be modified by traitors) – Signed Messages– Lamport then shows that the later assumption

simplifies the problem (The Byzantine Generals Problem, Lamport, 1982)


Byzantine Agreement

• A transmitter broadcasts a message to a set of processes– Agreement: all correct processes agree on the same

message– Validity: if the transmitter is correct, then all correct

processes agree on its message• We assume a set of n processes; at most t of

them can be faulty• Agreement on a message

where M is the set of all possible messages }" {" faultysenderMm ∪∈


Byzantine Agreement (2)• No assumption on the behavior of faulty

processes• Complete connected network, reliable message

system• Informally, authentication prevents a process

from changing a message it relays, or introducing a new message into the system and claiming to have received it from some other process

• Restricts the visible behavior of processes


Simulating Authenticated Broadcasts

• Basic idea – use the simplicity provided by authentication without having overhead– Identify the properties of the authenticated

broadcast– Create a broadcast primitive with these

properties– Replace authenticated communication in an

algorithm with this primitive– Proofs remain, since they rely only on the

properties of authenticated broadcast


Properties of Authenticated Broadcast

• Process p broadcasts message m in round k by sending a triple (p, m, k) to all

• A process that receives (p, m, k) accepts it, if it can verify p’s signature

• Synchronous broadcast• Digital signatures – messages cannot be forged• Authenticated broadcast properties

– Correctness– Unforgeability– Relay


Properties of Authenticated Broadcast (2)

• Correctness – if a correct process p broadcasts (p, m, k), then every correct process accepts (p, m, k) in the same round

• Unforgeability – if process p is correct and does not broadcast (p, m, k), then no correct process ever accepts (p, m, k)

• Relay – if a correct process accepts (p, m, k) in round r ≥ k then every other correct process accepts (p, m, k) in round r+1 or earlier


Algorithm Using Authenticated Broadcasts

• Synchronous rounds• Binary messages (M = {0, 1})• Broadcast if m=1, 0 is decided by defaultprocess p: /* m is 0 or 1 */if p is the transmitter then value := m else value := 0;for r:=1 to t+1 doif value=1 and p has not broadcast messages in earlier

rounds thenbroadcast (p, 1, r);relay the r-1 messages accepted in previous rounds that

caused value to be set to 1;if in rounds r’ <= r accepted (pk, 1, rk) from r distinct processes pk, including the transmitter p1 then value:=1;

oddecide value;

Algorithm 1


Algorithm Using Authenticated Broadcasts (2)

• Theorem 1: Algorithm 1 achieves Byzantine Agreement in t+1 rounds with O(n2.t.log(n))message bits.

• Proof:– Correctness, unforgeability and relay follow directly– Validity (if the transmitter p1 is correct then every

correct process decides on p1’s value), we observe two cases

• Transmitter broadcasts 1 – follows by the correctness property

• Transmitter broadcasts 0 – follows by the unforgeability property


Algorithm Using Authenticated Broadcasts (3)

– Agreement – we consider two cases• If some correct process p first sets value to 1 at the end of

round r<t+1– It must have accepted (pk, 1, rk) from at least r processes pk– In round r+1 it broadcasts (p, 1, r+1)– By correctness and relay in round r+1 every correct process

accepts (p, 1, r+1) and all (pk, 1, rk) and thus sets value to 1• If a correct process first sets value to 1 in round t+1

– It must have accepted (pk, 1, rk) from t+1 distinct processes pk– At least one of these t+1 must be correct (say pi)– This pi broadcasts (pi, 1, ri) in round ri≤t+1, it sets value to 1 in

round ri-1<t+1– Every correct process set value to 1 by the end of round t+1

– Required are t+1 rounds, O(n2.t) message complexity


Broadcast Primitive

• The previous proof relied only on correctness, unforgeability and relay

• Digital signatures are just a way to provide these three properties

• In a way to avoid digital signatures Srikanth and Toueg proposed a broadcast primitive, which achieves the three properties in other way

• It can then replace the signed communication directly, since all proofs rely on the same properties


Broadcast Primitive (2)Round k: /* process p transmits (p, m, k) */Phase 2k-1: process p sends (init, p, m, k) to all;Phase 2k: each process executes for each m from M:

if received (init, p, m, k) from p in phase 2k-1 thensend (echo, p, m, k) to all;

if received (echo, p, m, k) from at least 2t+1 distinct processes then accept (p, m, k);

Round r≥k+1:Phase 2r-1, 2r: each process executes:

if received (echo, p, m, k) from at least t+1 distinct processes in previous phases and not sent (echo, p, m, k) thensend (echo, p, m, k) to all

if received (echo, p, m, k) from at least 2t+1 distinct processes in this and previous phases then accept (p, m, k);

Algorithm 2


Broadcast Primitive (3)• Lemma 1: If a correct process sends (echo, p, m, k) then

p must have sent (init, p, m, k) to at least one correct process in phase 2k-1

• Proof:– Let l be the earliest phase in which any correct process q sends

(echo, p, m, k)– If l>2k process q must have received (echo, p, m, k) messages

from at least t+1 distinct processes– It must have received (echo, p, m, k) from at least one correct

process in phase l-1 or earlier– Hence a correct process sends (echo, p, m, k) before phase l – a

contradiction– Therefore l=2k and q must have received (init, p, m, k) in phase

2k-1


Broadcast Primitive (4)

• Theorem 2: The broadcast primitive provides the three properties.

• Proof:– Correctness:

• Since p is correct, every process receives (init, p, m, k) in phase 2k-1 and every correct process sends (echo, p, m, k) in phase 2k

• In phase 2k every process receives (echo, p, m, k)from at least 2t+1 distinct processes

• Therefore every correct process accepts (p, m, k)in phase 2k – that is in round k



– Unforgeability:• If p is correct and does not broadcast (p, m, k) it

does not send an init message in phase 2k-1• If any correct process accepts (p, m, k) it must

have received (echo, p, m, k) from at least 2t+1 processes – at least t+1 correct processes must have sent (echo, p, m, k)

• By Lemma 1 p must have sent init message to at least one correct process – a contradiction


Broadcast Primitive (6)– Relay

• Let q be a correct process that accepts (p, m, k)during phase i, where i=2r-1 or 2r

• Process q must have received (echo, p, m, k) from at least 2t+1 processes by phase i

• Hence every correct process receives (echo, p, m, k) from at least t+1 processes by phase i and therefore sends (echo, p, m, k) by phase i+1

• Hence every correct process receives (echo, p, m, k) from at least 2t+1 distinct processes by phase i+1 and accepts (p, m, k) by the end of phase i+1 –this is in round r+1 or earlier


Broadcast Primitive (7)• Message complexity includes only the

communication of correct processes• Lemma 2: The total number of messages sent

by all correct processes for each broadcast by a correct process is O(n2)

• Proof:– By a broadcast, each correct process sends (echo, p,

m, k) to all other processes– O(n2) follows

• Trade off – message complexity / relay property



• Reducing the message complexity– A set of 3t+1 processes called reflectors is

isolated, they execute the primitive with n=3t+1

– Only reflectors send echo-messages to the others, non reflectors only listen in on and accept according to the algorithm

– A message complexity of O(n.t) is achieved, because there are O(t) reflectors

• A broadcast by a faulty process


Non-Authenticated Algorithm for Byzantine Agreement

• Algorithm 1 solved Byzantine Agreement:process p: /* m is 0 or 1 */if p is the transmitter then value:=m else value :=0;for r:=1 to t+1 doif value=1 and p has not broadcast messages in earlier

rounds thenbroadcast (p, 1, r);relay the r-1 messages accepted in previous rounds that

caused value to be set to 1;if in rounds r’ <= r accepted(pk, 1, rk) from r distinct processes pk, including the transmitter p1 then value:=1;

oddecide value

• Replacing Algorithm 1’s signed communication by the Broadcast Primitive


Non-Authenticated Algorithm for Byzantine Agreement (2)

• The Broadcast Primitive presents implicitly in the broadcast (p, 1, r) command

process p: /* m is 0 or 1 */if p is the transmitter then value:= m else value := 0;for r:=1 to t+1 doif value=1 and p has not broadcast messages in earlier

rounds thenbroadcast (p, 1, r);

/* here no explicit relay is needed */if in rounds r’ <= r accepted (pk, 1, rk) from r distinct processes pk, including the transmitter p1 then value:=1;

oddecide value

Algorithm 3



• Theorem 3: The non-authenticated Algorithm 3 achieves Byzantine Agreement in 2t+2 phases with O(n2.t.logn) message bits

• Proof: – Correctness follows from the proof of Algorithm 1– 2t+2 phases required since each round of the

algorithm is implemented by two phases in the underlying primitive

– Each process broadcasts at most one message, hence correct processes send a total of O(n2.t) when using the broadcast primitive



• Algorithm 3 can tolerate t faulty processes with n>3t

• Impossibility result: Lamport showed that no non-authenticated Byzantine Agreement algorithm exists for n≤3t – therefore no broadcast primitive can provide correctness, unforgeability and relay if n≤3t without using signatures

• Therefore the broadcast primitive in Algorithm 2 is optimal w. r. t. the number of faulty processes



• Optimizations of Algorithm 3– Isolating a set of 3t+1 processes

• Corollary 1: Byzantine Agreement can be reached in 2t+2phases with O(n.t2.logn) message bits (instead of O(n2.t.logn), n>3t)

– The last phase can be omitted• Corollary 2: Byzantine Agreement can be reached in 2t+1

phases with O(n.t2.logn) message bits

– The set of 3t+1 processes communicate strictly among themselves

• Corollary 3: Corollary 2: Byzantine Agreement can be reached in 2t+2 phases with O(nt+t3.logt) message bits


Byzantine Agreement for Multiple Values

• Based on Algorithm 1 for binary agreement• Signed messages or broadcast primitive

process p: /* m is from a set of messages M */if p is the transmitter then values:={m} else values:=ø;for r:=1 to t+1 do

for each m from values that p has not broadcast in previous rounds doif p has not yet broadcast 2 distinct values thenbroadcast (p, m, k);

od;for each m from M doif in rounds r’<=r accepted (pk, m, rk) from r distinct processes pk, including the transmitter p1 then values := values U {m};

ododif |values|=1 then

decide on the value {m} from values;else

decide “sender faulty”;Algorithm 4


Byzantine Agreement for Multiple Values (2)

• Algorithm 4 is a straightforward modification of the binary Algorithm 1

• Each process maintains a set values of potential decisions

• Process p adds m to its values in round r if it has accepted messages containing m from r distinct processes including the transmitter p1

• In the next round p broadcasts m if it has not broadcast yet 2 distinct values

• If on termination values contains 1 element pdecides on it, otherwise it decides “sender faulty”



• Theorem 4: Multivalued Byzantine Agreement can be achieved in 2t+2 phases with O(n2.t.(logn+log|M|)) message bits using the non-authenticated Algorithm 4.

• Proof: – Correctness follows from Theorem 1– Validity

• Transmitter p1 broadcasts (p1, m, 1) in round 1• By correctness, every correct process accepts (p1, m, 1) and

adds m to its set values• By unforgeability the transmitter will not broadcast any more• Hence no correct process can accept (p1, m’, 1) with m≠m’• Hence every correct process terminates with values={m}



– Agreement – consider two cases:• (i) If a correct process first adds m to values in round r<t+1

– It must have accepted messages (pk, m, rk) from r distinct processes pk including the transmitter p1, p≠pk, 1≤k≤r

– In round r+1 p broadcasts (p, m, r+1) if it has not already broadcast two distinct values

– By correctness and relay every correct process accepts these r+1 messages and adds m to values

• (ii) If a correct process first adds m to values in round t+1– It must have accepted messages (pk, m, rk) from t+1 distinct

processes pk– At least one of these processes p2 must be correct; p2 must

have first added m to its set values in round r-1<t+1– By previous case every correct process adds m to values



• Let p be a process that has max(|values|) by termination– If p has |values|≤2 it follows from (i) and (ii) that the set values

of every correct process contains at least the elements that phas added to its set

» Since p has the largest set values, every process has the same elements in its set values

» Therefore, all correct processes reach identical decisions– If p has |values|>2 it follows from (i) and (ii) that the set values

of every correct process contains at least two of the elements that p has added to its set

» Therefore, every correct process has |values|>1 and decides on “sender faulty”

• Thus Agreement is satisfied



– The algorithm requires t+1 rounds or 2t+2phases

– Each correct process broadcasts at most two messages, therefore correct processes send a total of O(n2.t) messages using the advanced broadcast primitive (Algorithm 9, described later)

– Since messages are O(logn+log|M|) bits long the total bit complexity is O(n2.t.(logn+log|M|))


Asynchronous Authenticated Broadcasts

• Messages sent are eventually received but it could take arbitrary time

• Weaker properties:– Correctness: If correct process p broadcasts (p, m, k)

then every correct process accepts (p, m, k)– Unforgeability: If correct process p does not

broadcast (p, m, k) then no correct process ever accepts (p, m, k)

– Relay: If a correct process accepts (p, m, k) then every other correct process accepts (p, m, k)


Asynchronous Authenticated Broadcasts (2)

• Asynchronous broadcast primitive

Round k (phase k):process p sends (init, p, m, k) to all processes.Each process executes the following for each m from M:if received (init, p, m, k) from p thensend (echo, p, m, k) to all;

if received (echo, p, m, k) from at least n-t distinct processes in previous phases thenaccept (p, m, k);

if received (echo, p, m, k) from at least n-2t distinct processes in previous phases and not sent (echo, p, m, k) thensend (echo, p, m, k) to all;

Algorithm 7


Asynchronous Authenticated Broadcasts (3)

• Theorem 6: The primitive in Algorithm 7 achieves the properties of correctness, unforgeability and relay in asynchronous systems

• Proof: Follows from the proof of Theorem 2, when using the assumption that messages sent out by correct processes are eventually received by all correct processes

• The primitive can be used in developing non-authenticated asynchronous algorithms from authenticated ones


A Message Efficient Broadcast Primitive

• Problem with the Broadcast Primitive from Algorithm 2– Broadcasts by faulty processes may cause correct processes to

send O(n2) additional messages for each round• The following broadcast primitive reduces the number of

messages due to faulty processes by imposing additional restriction to the behavior of faulty processes

• It ensures that faulty processes do not execute more broadcasts than allowed by the algorithm

• Additional constant R is declared – each process can broadcast at most R messages

• This reduces the number of messages, sent by witnesses


A Message Efficient Broadcast Primitive (2)

• Additional types of messages:– init’ – sent by processes in the third phase of

a broadcast– echo’ – sent by processes in the remaining

phases of the broadcast• Each round r corresponds to two phases

2r-1 and 2r of the primitive



Round k:Phase 2k-1: process p sends (init, p, m, k) to all;Each process executes the following for each m from M:Phase 2k:if received (init, p, m, k) from p in phase 2k-1 and received at most R (init, p, *, *) messages from p

in all previous phases thensend (echo, p, m, k) to all;

if received (echo, p, m, k) from at least n-t distinct processes in phase 2k thenaccept (p, m, k);

Round k+1:Phase 2k+1:if received (echo, p, m, k) from at least n-2t distinct processes q in phase 2k and received at most R

(echo, p, *, *) messages from q in all previous phases thensend (init’, p, m, k) to all;

Phase 2k+2:if received (init’, p, m, k) from at least n-t distinct processes in phase 2k+1 thensend (echo’, p, m, k) to all;

if received (echo’, p, m, k) from at least n-t distinct processes in phase 2k+2 thenaccept (p, m, k);

Round r≥k+2:Phase 2r-1, 2r:if received (echo’, p, m, k) from at least n-2t distinct processes in previous phases and not sent

(echo’, p, m, k) thensend (echo’, p, m, k) to all;

if received (echo’, p, m, k) from at least n-t distinct processes in this and previous phases thenaccept (p, m, k);

Algorithm 9



• Lemma 3: If a correct process ever sends (echo’, p, m, k), then at least one correct process must have sent (echo’, p, m, k) in phase 2k+2

• Proof:– Let l be the earliest phase in which a correct process q sends

(echo’, p, m, k)– If l≥2k+3, process q must have received (echo’, p, m, k)

messages from at least n-2t distinct processes, hence from at least one correct process in phase l-1 or earlier

– Hence a correct process sends (echo’, p, m, k) before phase l –a contradiction

– Therefore l=2k+2



• Lemma 4: If a correct process ever sends (echo’, p, m, k) then p must have sent (init, p, m, k) to at least one correct process in phase 2k-1

• Proof:– By Lemma 3 if a correct process q ever sends (echo’, p, m, k)

then some correct process must have sent (echo’, p, m, k) in phase 2k+2

– Therefore process q must have received (init’, p, m, k) from at least n-t processes in phase 2k+1 – at least n-2t of these processes are correct and each of them must have received at least n-2t (echo, p, m, k) messages in phase 2k

– Hence at least one correct process must have received (init, p, m, k) from p in phase 2k-1



• Theorem 7: The broadcast primitive of Algorithm 9 has the properties of correctness, unforgeability and relay

• Proof:– Correctness:

• Since p is correct, every correct process receives (init, p, m, k) in phase 2k

• Hence every process receives (echo, p, m, k) from at least n-t correct processes in phase 2k

• And every correct process accepts (p, m, k) at the end of phase 2k, that is at the end of round k



– Unforgeability:• If p is correct and does not execute broadcast (p, m, k) it

does not send any message (init, p, m, k) in phase 2k-1 and no correct process sends (echo, p, m, k) in phase 2k

• Hence no correct process can accept (p, m, k) in phase 2k• If some correct process accepts (p, m, k) at the end of phase

2k+2 or later it must have received (echo’, p, m, k) from at least n-t distinct processes, which means from at least n-2t correct processes

• By Lemma 4 p must have sent (init, p, m, k) to at least one correct process in phase 2k-1 – a contradiction

• Thus no correct process ever accepts (p, m, k)



– Relay:• Let q be a correct process that accepts (p, m, k) in phase i, where i=2r-1 or

2r• If r=k then q must have received (echo, p, m, k) from at least n-t distinct

processes in phase 2k• Hence in the same phase 2k every correct process receives (echo, p, m, k)

from at least n-2t distinct processes and sends (init’, p, m, k) in phase 2k+1• Therefore every correct process sends (echo’, p, m, k) in phase 2k+2 and

every correct process accepts (p, m, k) at the end of phase 2k+2 – that is in round r+1

• Suppose r≥k+1, then process q must have received (echo’, p, m, k) from at least n-t distinct processes by phase i

• Hence every correct process receives (echo’, p, m, k) from at least n-2tdistinct processes by phase i and therefore sends (echo’, p, m, k) at or before phase i+1

• Thus every correct process receives (echo’, p, m, k) from at least n-t distinct processes by phase i+1 and therefore accepts (p, m, k) by the end of phase i+1, i.e. in round r+1 or earlier



• Message complexity– We consider again only messages sent by correct processes

• Lemma 5: In an algorithm in which the broadcast primitive of Algorithm 9 is applied, each correct process sends a total of O(R.n) (*, p, *, *) messages for each process p.

• Proof:– Each correct process accepts at most R (init, p, *, *) messages

from a given process p and thus sends at most R echoes– Each correct process sends at most R.n/(n-2t)≤3R (init’, p, *, *)

messages because:• It sends (init’, p, *, *) only on receiving at least n-2t (echo, p, m, k)• And, of course, n>3t



– We now show that at most 6R distinct (echo’, p, *, *) messages are sent by the set of correct processes

– Let C be a set of n-t correct processes– By Lemma 3 if a correct process sends (echo’, p, m, k) in any phase

some correct process q must have sent (echo’, p, m, k) in phase 2k+2– That means q must have received (init’, p, m, k) messages from at least

n-t processes – that is at least n-2t correct processes in C; or the sending of (echo’, p, m, k) requires the sending of (init’, p, m, k) by n-2t correct processes in C to all – i.e. a total of (n-2t)n

– Hence processes in C send a total of at most 3R(n-t)n (init’, p, *, *)messages, since each correct process sends at most 3R init’

– The total number of distinct (echo’, p, *, *) sent by the set C is bounded by 3R(n-t)n/(n-2t)n≤6R – i.e. each correct process sends at most 6R(echo’, p, *, *) messages

– Therefore each correct process sends at most 10R (*, p, *, *) messages to all, a total of O(n) (*, p, *, *) messages



• Corollary 3: For each process p, the total number of (*, p, *, *) messages sent by all correct processes is O(R.n2)

• Further optimization:– We isolate a set of 3t+1 processes (reflectors) and

execute the primitive with n=3t+1, so that only reflectors send messages and the rest only receive and accept according to the primitive

– The number of messages sent by all correct processes for process p is O(R.n.t)


Conclusion• Design of fault-tolerant algorithms is complex• Message authentication makes things simpler

but has drawbacks• Reducing non-authenticated algorithms to

simpler authenticated ones– Based on broadcast primitives– Same proofs as authenticated versions

• Solution to the Byzantine Agreement• Asynchronous version of Byzantine Agreement• Optimized broadcast primitive


Thank you for your attention!

Documents

Broadcasting With Byzantine Faults - ti.tuwien.ac.at · Network Embedded Systems Broadcasting With Byzantine Faults Voin Legourski. 19.Apr.2007 Voin Legourski - Broadcasting with